diff options
| -rw-r--r-- | group_vars/all.yml | 4 | ||||
| -rw-r--r-- | group_vars/keepalived.yml | 2 | ||||
| -rw-r--r-- | group_vars/outbound.yml | 2 | ||||
| -rw-r--r-- | group_vars/traefik.yml | 2 | ||||
| -rw-r--r-- | playbooks/roles/outbound/templates/proxy/docker-compose.yml | 17 | ||||
| -rw-r--r-- | playbooks/roles/outbound/templates/proxy/sites-enabled/default.conf | 7 | ||||
| -rw-r--r-- | playbooks/roles/outbound/templates/proxy/sites-enabled/idm.conf | 13 | ||||
| -rw-r--r-- | playbooks/roles/traefik/templates/stacks/docker-compose.yml | 2 |
8 files changed, 35 insertions, 14 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 5066a4d..db9048f 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -11,6 +11,10 @@ timezone: "America/Los_Angeles" domain: "liz.coffee" idm_domain: "idm.{{ domain }}" headscale_host: "vpn.{{ domain }}" +# super internal private servers +traefik_domain: "sips.{{ domain }}" # first deployment? homelab_build: false + +loadbalancer_ip: "10.128.0.200" diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml index 8beb081..aa76190 100644 --- a/group_vars/keepalived.yml +++ b/group_vars/keepalived.yml @@ -1,7 +1,7 @@ --- keepalived_interface: "enp6s18" -keepalived_virtual_ip: "10.128.0.200" +keepalived_virtual_ip: "{{ loadbalancer_ip }}" keepalived_virtual_router_id: 50 keepalived_priority: 100 keepalived_healthcheck_script: "/etc/keepalived/healthcheck.sh" diff --git a/group_vars/outbound.yml b/group_vars/outbound.yml index 0dac73a..3a9a51a 100644 --- a/group_vars/outbound.yml +++ b/group_vars/outbound.yml @@ -5,7 +5,7 @@ headscale_base_domain: '{{ headscale_host }}' headscale_port: '8080' headscale_listen_addr: '0.0.0.0:{{ headscale_port }}' -headscale_dns_for_connected_clients_1: '1.1.1.1' +headscale_dns_for_connected_clients_1: '{{ loadbalancer_ip }}' headscale_dns_for_connected_clients_2: '1.0.0.1' generate_api_key: '{{ homelab_build }}' diff --git a/group_vars/traefik.yml b/group_vars/traefik.yml index 75d7e0f..6b7effa 100644 --- a/group_vars/traefik.yml +++ b/group_vars/traefik.yml @@ -1,6 +1,4 @@ --- -# super internal private servers -traefik_domain: "sips.{{ domain }}" certs_email: "{{ cloudflare_email }}" traefik_base: "{{ swarm_base }}/traefik" diff --git a/playbooks/roles/outbound/templates/proxy/docker-compose.yml b/playbooks/roles/outbound/templates/proxy/docker-compose.yml index 3074047..7deea56 100644 --- a/playbooks/roles/outbound/templates/proxy/docker-compose.yml +++ b/playbooks/roles/outbound/templates/proxy/docker-compose.yml @@ -7,6 +7,10 @@ services: - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TZ={{ timezone }} + + - VIRTUAL_HOST=*.{{ domain }},{{ domain }} + - VIRTUAL_PORT=80 + - LETSENCRYPT_HOST=*.{{ domain }},{{ domain }} hostname: headscale-outbound restart: unless-stopped cap_add: @@ -16,21 +20,16 @@ services: - ./data:/var/lib/tailscale - /dev/net/tun:/dev/net/tun networks: - - headnet + - proxy proxy: image: nginx:latest + network_mode: service:headscale-client depends_on: - headscale-client - networks: - - proxy - - headnet - environment: - - VIRTUAL_HOST=*.{{ domain }},{{ domain }} - - VIRTUAL_PORT=80 - - LETSENCRYPT_HOST=*.{{ domain }},{{ domain }} + volumes: + - ./sites-enabled:/etc/nginx/conf.d networks: - headnet: proxy: external: true diff --git a/playbooks/roles/outbound/templates/proxy/sites-enabled/default.conf b/playbooks/roles/outbound/templates/proxy/sites-enabled/default.conf new file mode 100644 index 0000000..d127cc5 --- /dev/null +++ b/playbooks/roles/outbound/templates/proxy/sites-enabled/default.conf @@ -0,0 +1,7 @@ +server { + listen 80 default_server; + + location / { + return 404; + } +} diff --git a/playbooks/roles/outbound/templates/proxy/sites-enabled/idm.conf b/playbooks/roles/outbound/templates/proxy/sites-enabled/idm.conf new file mode 100644 index 0000000..c85ebcf --- /dev/null +++ b/playbooks/roles/outbound/templates/proxy/sites-enabled/idm.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name idm.liz.coffee; + + location / { + proxy_pass https://{{ loadbalancer_ip }}; + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/playbooks/roles/traefik/templates/stacks/docker-compose.yml b/playbooks/roles/traefik/templates/stacks/docker-compose.yml index dfdd6ba..deb5329 100644 --- a/playbooks/roles/traefik/templates/stacks/docker-compose.yml +++ b/playbooks/roles/traefik/templates/stacks/docker-compose.yml @@ -5,7 +5,7 @@ services: restart: unless-stopped environment: - TS_AUTHKEY={{ headscale_user_auth_key }} - - TS_EXTRA_ARGS=--login-server=https://{{ headscale_host }} --accept-dns --stateful-filtering=false + - TS_EXTRA_ARGS=--login-server=https://{{ headscale_host }} --accept-dns --stateful-filtering=false --advertise-routes={{ loadbalancer_ip }}/32 - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TZ={{ timezone }} |